Inner-Product Matchmaking Encryption: Bilateral Access Control and Beyond Equality

Chu, Qiaohan; Fu, Anmin; Qian, Haifeng; Chen, Jie

doi:https://doi.org/10.1049/2023/8829580

IET Information Security

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Authors’ Contributions Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2023 | Article ID 8829580 | https://doi.org/10.1049/2023/8829580

Inner-Product Matchmaking Encryption: Bilateral Access Control and Beyond Equality

Qiaohan Chu,¹Anmin Fu,²Haifeng Qian,¹and Jie Chen¹

Academic Editor: Helena Rifà-Pous

Received18 Jul 2023

Revised26 Sept 2023

Accepted06 Oct 2023

Published02 Nov 2023

Abstract

We present an inner-product matchmaking encryption (IP-ME) scheme achieving weak privacy and authenticity in prime-order groups under symmetric external Diffie–Hellman (SXDH) assumption in the standard model. We further present an IP-ME with Monotone Span Program Authenticity (IP-ME with MSP Auth) scheme, where the chosen sender policy is upgraded to MSP, and the scheme also achieves weak privacy and authenticity in prime-order groups under SXDH assumption in the standard model. Both of the schemes have more expressive functionalities than identity-based matchmaking encryption (IB-ME) scheme, and are simpler than Ateniese et al.’s modular ME scheme (Crypto’ 19). But our schemes only achieve a very limited flavor of security, which is reflected in the privacy.

1. Introduction

1.1. Background

1.1.1. Matchmaking Encryption

Matchmaking Encryption (ME) is a cryptographic primitive introduced by Ateniese et al.’s [1] work. It is motivated by trying to work out a noninteractive version of secret handshake (SH) protocol [2] in order to get rid of real-time interactions, and further enhance the privacy of participants. Except noninteractivity and strong privacy, the definition of ME proposed by Ateniese et al. [1] also provides the property of authenticity, so that elminating the “not credible” problem in anonymous communication.

Specifically, an ME scheme works as follows: the authority generates sender’s key with sender’s attributes , and receiver’s key with receiver’s attributes , and sends them to the sender and the receiver, respectively. When the sender wants to send a secret message, he specifies a policy , and encrypts the message with and , so that only the receiver whose attributes match the policy has the right for decryption. On the other hand, the receiver can also specify a policy , and make a query of to the authority, so that the receiver can identify the information source.

Based on the functionality of ME, there are several applications for ME in the real world. For example, by Ateniese et al. [1], there says that the sender can specify the receiver who is an FBI agent and lives in NYC, and the receiver can also specify the sender who is a CIA agent. If the decryption fails, no private information will leak. Another example by Ateniese et al. [1] is encryption bids. Bidders send private bids to a collector encrypted with their chosen conditions, and the collector opens the bids that match specific requirements. Also, if the decryption fails, the collector does not know the reason and gains no information about the actual bids. Ateniese et al. [1] also presents an implementation of privacy-preserving bulletin board combining Tor hidden services with ME that allowing parties to collect information from anonymous but authentic sources.

1.1.2. Identity-Based Matchmaking Encryption

A special case of ME is identity-based ME (IB-ME), where the two policies are both equality. And since its policy is simple, IB-ME removes the algorithm (ref. Section 2.4), so that it can eliminate the process of sending the decryption key from the authority to the receiver. IB-ME is well-suited for the application of spy communication that the spy can encrypt and decrypt the messages simply in the light of identities.

There have been several works about IB-ME. The first proposed IB-ME scheme is from Ateniese et al.’s [1] work, which is comparatively simple and concrete, and based on Bilinear Diffie–Hellman (BDH) assumption in the random oracle model. Then, Francati et al. [3] improve the random oracle model into the standard model, but under a nonstandard q-type assumption. Subsequently, Chen et al. [4] accomplish IB-ME under standard Symmetric External Diffie–Hellman (SXDH) assumption in the standard model and with a more direct construction.

1.1.3. Inner-Product Matchmaking Encryption

When the two policies are restricted to inner-product, we can obtain another special case of ME, i.e., inner-product ME (IP-ME). The inner-product policy demands that only the attributes, whose inner product with the vector of policy is zero, can match it. This policy can be adopted into some real scenarios, especially statistics related scenarios. For example, a company S, playing the role of sender, specifies a weight vector as the policy, and he wants to tell the company R, playing the role of receiver, a secret (e.g., “We can cooperate against the company A”), whose weighted sum of attributes (e.g., scores) equal to the target value. When company R receives the ciphertext, he tries to decrypt it with his chosen weight vector. If the decryption succeeds, it implies that company R is willing to cooperate with company S, and otherwise, there would not be any cooperation between company S and company R.

1.1.4. Inner-Product Matchmaking Encryption with Monotone Span Program Authenticity

We can further upgrade IP-ME to IPME with Monotone Span Program Authenticity (IP-ME with MSP Auth), where the chosen sender policy is changed intoMSP [5–7]. This provides more power for the receiver, since the policy is more expressive. When it is in the above “cooperation” scenario, company R can specify his cooperator more precisely by setting more precise policy.

1.2. Contributions

In this work, we mainly present an IP-ME scheme and an IP-ME with MSP Auth scheme, which are more expressive than IB-ME [1, 3, 4] and of simpler constructions than the modular ME [1], both in prime-order groups under standard SXDH assumption in the standard model. Our schemes are both with reasonable sized parameters, where denotes the size of each user’s attributes, and both achieve authenticity but only weak privacy (ref. Def 4). As preparations for the prime-order versions, we also present the corresponding composite-order versions for our IP-ME and IP-ME with MSP Auth schemes. Our composite-order schemes are under subgroup decision (SD) assumption in the standard model, also with sized parameters and achieve weak privacy and authenticity.

More specifically, our schemes are of the following advantages:(i)More Expressive Functionalities: Compared to the current works of IB-ME with concrete constructions [1, 3, 4], our IP-ME and IP-ME with MSP Auth are of more expressive functionalities.(ii)Simpler and More Concrete Constructions: Compared to the modular ME scheme Ateniese et al. [1], which is constructed of FE, Signature, and NIZK in a black-box manner, our schemes are directly constructed from a combination of two encryption instances, so that our schemes are simpler and more concrete than [1].(iii)Standard and Efficient: Our schemes are under standard assumptions, SXDH and SD assumptions, and are in the standard model. Besides, our main schemes are in prime-order groups [8], and of sized parameters, which is fairly reasonable since it is linear in the size of each user’s attributes, not of a higher order of magnitude.

We would like to clarify that our schemes only achieve a very limited flavor of security notion compared with the original security notion of ME, since we cut down some possible cases.

We present a detailed comparison with currently related works in Table 1, and a detailed cost of our prime-order schemes in Table 2.

1.3. Technical Overview

1.3.1. Starting Point

Our goal is to construct simpler ME schemes than the modular one by Ateniese et al. [1], and meanwhile extend the functionality of IB-ME, which has already been of several concrete constructions. Following [4], we start with the two-layer structure, which is actually a non-black-box combination of two instances of ABE schemes. Since compared with the study of Ateniese et al. [1], the two-layer structure only requires ABE as a building block, thus it might lead to simpler constructions. What makes the two-layer structure work is thanks to the fact that we can take the first layer instance as a weakly attribute-hiding ABE [9, 10], and take the second layer instance as a Signature with fine-grained control. We present an illustration for two-layer structure in Figure 1. And thus, thereinafter, our main task is trying to work out a way for combining the two instances.

1.3.2. Overview of Challenges

We would like to say ahead that such a combination is not trivial, since we need to guarantee the correctness and avoid the independence of the two instances simultaneously. And different from IB-ME, the more expressive ME requires the algorithm . This means that the design idea is very different from IB-ME [4], although the basic frameworks are both the two-layer structure. What is more, for the second signature layer, attribute-based signature (ABS) is a more complex primitive than identity-based signature (IBS), so the combination is more challenging.

1.3.3. IP-ME

As a first try, we consider how to combine two IPE instances. Before going to the details, we need to first select which IPE construction is our basic construction for each layer. Here, we use the modular framework by Chen et al. [11] and Wee [12] and the predicate encodings summarized Wee [12] to obtain our basic construction, and it is as below:When combining the two instances, we observe that the two instances need to be orthogonal with each other. That is, for example, for and (the superscripts and denote the instances in the first layer and in the second layer, respectively), it requires that , otherwise, there will be terms like in decryption phase, which cannot be canceled out due to the different randomness and picked in the different instances. To obtain the orthogonality, we think about the technique used in Lewko and Waters’s [13] work. Following the study of Lewko and Waters [13], we make the two instances in different subgroups. Then it comes to the challenge that how to combine the two instances validly. From a high-level, it seems that we can set and as of IPE just with different randomness, set as of IPE corresponding to , and set as a combination of and of IPE. However, this will make the two instances totally independent. That is, if we design the scheme as above, the decryptor will actually not need , and thus the sender can arbitrarily change . This invalidates the second layer instance. To tackle this issue, we attach an element , which is in the subgroup of the second instance, to , so that if the decryptor does not use , he would not be able to decrypt the ciphertext successfully. Meanwhile, to guarantee the correctness of the scheme, we also need to attach some other components to some places, so that we can cancel out the extra element in . Our idea is to attach the same element to , then we can leverage the decryption process of IPE to remove this extra element. Notably, this design requires the first element of the sender’s attribute vector to be . This can be easily achieved in inner-product setting, since we can assume the first element as without loss of generality.

For security analysis, we observe that the two-layer structure prevents us from setting exactly the same mismatch conditions and match conditions as by Ateniese et al. [1]. For mismatch conditions, we can only set that does not match and does not match . For match conditions, it actually corresponds to the fully attribute-hiding property, however, our basic IPE only achieves weakly attribute-hiding. Therefore, we relax the full privacy by Ateniese et al. [1] to a weak version here (weaker mismatch conditions and without match conditions). This is a weaker and very limited security notion. As for authenticity, it can be directly reduced to the security of the second layer IPE scheme.

Next, we need to transform the composite-order version into prime-order version. By now, there has been a line of research on the techniques for simulating composite-order groups into prime-order groups [7, 11, 14–21], which can be divided into two categories: dual system group (DSG) [22] and dual pairing vector spaces (DPVS) [23, 24]. For DSG, it seems to be more efficient and simpler, however, it crucially relies on the property of associativity saying that the terms with “” can be canceled out by the fraction. But such a cancellation requires the coefficients of the randomness to be the same, which our construction cannot achieve (this is exactly why the two instances of our construction must be orthogonal with each other). Therefore, we choose to use DPVS, which satisfies our “orthogonal” requirement well, to simulate our composite-order scheme. More specifically, we first use DPVS to simulate our composite-order scheme into prime-order scheme, and relies on decisional subspace (DS) assumption [25, 26], which is further based on SXDH assumption, to prove the security.

1.3.4. IP-ME with MSP Auth

We then upgrade IP-ME to IP-ME with MSP Auth, where the second layer is changed to ABE for MSP. One notable point is that for ABE, there are two types according to where the policy embedded, Ciphertext-Policy ABE (CP-ABE) and key-policy ABE (KP-ABE). To transform an ABE to ABS, only CP-ABE is feasible [27–30]. This is determined by the functionalities of CP-ABE and ABS. However, to the best of our knowledge, based on the framework in [11, 12], there is no predicate encoding of CP-ABE for MSP that the encoding of is random. Thus, we cannot obtain an ABS for MSP from a CP-ABE when following the modular framework [11, 12]. Lack of the second layer Signature, it seems that our IP-ME with MSP Auth scheme has to be terminated. Fortunately, we notice that the “non-random” of of the second layer ABE won’t break the authenticity (also unforgeability) property, since the authenticity is derived from the security of ABE.

For the concrete constructions, we also start from the composite-order groups, and simulate it into prime-order groups. As our IP-ME, we first select our basic constructions for each layer. Here, for the first layer, the basic construction is exactly the basic IPE in our IP-ME, and for the second layer, the basic construction is an ABE scheme for MSP, which can also be obtained from the study of Chen et al. [11] and Wee [12]. The ABE for MSP is as follows:where , .

For composite-order version, we can adopt similar idea of our IP-ME to obtain the final construction. Specifically, we use an extra as our IP-ME, to combine the two instances validly. But different from our IP-ME, where we attach the entire to only one component in , we secretly share as , and attach each share to the corresponding component in , so that we can leverage the reconstruction process for to reconstruct too. Then, we adopt the same technique as used in our IP-ME to simulate our IP-ME with MSP Auth in composite-order groups into one in prime-order groups.

1.4. Related Works

The first modular ME scheme is proposed by Ateniese et al. [1], and it is constructed from functional encryption (FE), signature, and noninteractive zero-knowledge proofs (NIZK), in a black-box manner. Ateniese et al. [1] also present an IB-ME scheme based on BDH assumption, whose structure is more direct than the proposed modular ME, but is in the random oracle model. In the journal version of Ateniese et al.’s [31] work, they show several other theoretical constructions of ME. Subsequently, Francati et al. [3] present an IB-ME scheme without random oracle and achieving enhanced privacy, which is constructed from reusable computational extractors, Signature and NIZK, but is based on q-type assumption. Then, Chen et al. [4] present the first IB-ME scheme based on standard assumption and in the standard model. Their scheme is directly derived from a two-layer structure of anonymous IBE-based on SXDH assumption. Recently, Francati et al. [32] present the first ME scheme that supports general policies from LWE at the price of having security only in case of a mismatch.

Following the study by Ateniese et al. [1], Xu et al. [33] present a new primitive called matchmaking attribute-based encryption (MABE), which offers secure fine-grained bilateral access control, but different from ME, their MABE seems to only hide the challenge and , thus it does not provide anonymity. Subsequently, to tackle the issue in ME and MABE that the data decryption process costs a lot, which restricts them to be applied in resource-constrained IoT devices, Xu et al. [34] introduce another new primitive called lightweight matchmaking encryption (LME) and give a concrete construction.

2. Preliminaries

2.1. Notations

We use to denote random sampling, and use to denote probabilistic polynomial time. We use to denote a negligible function in security parameter . And we use boldface uppercase letter to denote matrix, use boldface lowercase letter to denote vector. We use to denote concatenation, and use to denote inner product.

2.2. Dual Pairing Vector Spaces

In cryptography, dual pairing vector spaces mainly relates to the algorithm as follows [7, 23, 25]:(i)Sample random bases and over , where is a prime.(ii)Output and .

And such bases subject to the constraint, which is called “dual orthonormal”, as follows:whenever , andfor all , where is a random element over .

Then let be a nondegenerated asymmetric bilinear group mapping generated from group generator , where , and are of prime order . We havewhenever .

2.3. Assumptions

Definition 1. (Subgroup decision problem). [13, 35] Let be a nondegenerated asymmetric bilinear group mapping generated from group generator , where , and are of order , and are primes. For , let denote the corresponding subgroup whose order is , and denote the corresponding subgroup whose order is . Let denote the generator in subgroup , and denote the generator (of arbitrary choice) in subgroup . Similar for group .
Subgroup decision problem says that given , , and , for any adversary , distinguishing and is hard.
In math language, it says that

Remark 1. The problem also holds when the subscripts are permuted.

Remark 2. We would like to explain that when writing as , should be restricted to . This will lead to a negligible difference of . For simplicity, we omit this negligible probability below, and simply write it as , where .

Definition 2. (Decisional subspace problem). [12, 13] Let be a nondegenerated asymmetric bilinear group mapping generated from group generator , where , and are of prime order . Let be two random bases that are dual orthonormal. Pick .
Decisional subspace problem in (DS1) says that, givenwhere and are positive integers satisfying , for any adversary , distinguishing and is hard.
In math language, it says thatwhere

Remark 3. Decisional subspace problem in (DS2) is almost the same as decisional subspace problem in , except the roles of and are exchanged.

Remark 4. Decisional subspace problem can be tightly reduced to symmetric external Diffie–Hellman problem in each group [25].

2.4. Matchmaking Encryption

This section is mainly modified from [1].

2.4.1. Syntax

An ME consists of the following polynomial-time algorithms, all the algorithms are probabilistic except , which is deterministic:(i) Take as input the security parameter , then output the master public key , the master policy key and the master secret key .(ii): Take as input the master public key , the master secret key , and the attributes , then output a secret encryption key associated with for the sender.(iii): Take as input the master pubic key , the master secret key , and the attributes , then output a secret decryption key associated with for the receiver.(iv): Take as input the master public key, the master policy key , and the policy , then output a secret decryption key for the receiver.(v): Take as input the master public key , the secret encryption key , the policy and the message , then output a ciphertext associated with and .(vi): Take as input the master public key , the secret decryption key , the secret decryption key and the ciphertext , then output either a message or .

Definition 3. (Correctness of ME). We say an ME scheme is correct, if we havewhenever matches and matches , and otherwise

2.4.2. Security

Definition 4. (Weak privacy of ME). We say an ME scheme satisfies weak privacy, if for any valid adversary , we havewhere is defined in Figure 2. Adversary is called valid if , it satisfies the following condition:(i)(Mismatch Condition). does not match and does not match .

Definition 5. (Authenticity of ME). We say an ME scheme satisfies authenticity, if for any adversary , we havewhere is defined in Figure 2.

Definition 6. (Weak security of ME). We say that an ME scheme satisfies weak security, if it satisfies weak privacy and authenticity.

3. Our IP-ME in Composite-Order Groups

We first present an IP-ME in composite-order groups, whose order is a product of three primes. And without loss of generality, we assume in .

3.1. Construction

(i):(1)Run the group generator , then output .(2)Pick , then output(3)Store secretly(ii):(1)Pick , then output(iii):(1)Pick , then output(iv):(1)Pick , then output(v):(1)Pick , then output(vi):(1)Compute

3.1.1. Correctness

The correctness follows from

Remark 5. When the subscript of product sign is a single , it refers to .

3.2. Security Analysis

Theorem 1. The IP-ME scheme satisfies weak privacy and authenticity under SD assumptions.

Since the proof is similar to Theorem 4, which follows the dual system encryption methodology (turning the normal ciphertext and secret key into semifunctional forms and leading to unconditionally failed decryption, and achieving attribute-hiding via the attribute-hiding encoding), thus we omit it here.

4. Our IP-ME in Prime-Order Groups

We transform our composite-order IP-ME into prime-order version in this section. With DPVS, our substitutions are as below:We also assume in without loss of generality.

4.1. Construction

(i):(1)Run the group generator , then output .(2)Sample random dual orthonormal bases . Let denote the elements of and denote the elements of . Let .(3)Pick , then output(4)Store secretly(ii):(1)Pick , then output(iii):(1)Pick , then output(iv):(1)Pick , then output(v):(1)Pick , then output(vi):(1)Compute

4.1.1. Correctness

The correctness follows from

Remark 6. When the subscripts of product sign and summation sign are a single , it refers to .

4.2. Security Analysis

Theorem 2. The IP-ME scheme satisfies weak privacy and authenticity under DS assumptions.

Since the proof is similar to Theorem 4, which follows the dual system encryption methodology (turning the normal ciphertext and secret key in to semifunctional forms and leading to unconditionally failed decryption, and achieving attribute-hiding via the attribute-hiding encoding), thus we omit it here.

5. Our IP-ME with MSP Auth in Composite-Order Groups

In this section we present our IP-ME with MSP Auth in composite-order groups, whose order is a product of three primes. And note that here, we assume sender’s attributes .

5.1. Construction

(i):(1)Run the group generator , then output .(2)Pick , then output(3)Store(ii):(1)Pick , then output(iii):(1)Pick , then output(iv):(1)Pick , and set . Then output(v):(1)Pick , then output(vi):(1)Compute , such thatThen

5.1.1. Correctness

The correctness follows from

Remark 7. When the subscript of product sign is a single , it refers to . And when the subscript of product sign is a single , it refers to traversing the set .

5.2. Security Analysis

Theorem 3. The IP-ME with MSP Auth scheme satisfies weak privacy and authenticity under SD assumptions.

Since the proof is similar to Theorem 4, which follows the dual system encryption methodology (turning the normal ciphertext and secret key in to semifunctional forms and leading to unconditionally failed decryption, and achieving attribute-hiding via the attribute-hiding encoding), thus we omit it here.

6. Our IP-ME with MSP Auth in Prime-Order Groups

We also transform our composite-order IP-ME with MSP Auth into prime-order version like in section 4. And we also assume sender’s attributes .

6.1. Construction

(i):(1)Run the group generator , then output .(2)Sample random dual orthonormal bases . Let denote the elements of and denote the elements of . Let .(3)Pick , then output(4)Store secretly(ii):(1)Pick , then output(iii):(1)Pick , then output(iv):(1)Pick , and set . Then output(v):(1)Pick , then output(vi):(1)Compute , such thatThen

6.1.1. Correctness

The correctness follows from

Remark 8. When the subscripts of product sign and summation sign are a single , it refers to . And when the subscript of product sign and summation sign are a single , it refers to traversing the set .

6.2. Security Analysis

Theorem 4. The scheme satisfies weak privacy and authenticity under DS assumptions.

6.2.1. Proof of Theorem 4

Proof of Privacy

Theorem 5. For any adversary , we havewhere are defined in the following lemmas, and without loss of generality, we assume the upper bounds of the number of and are both equal to .

Proof. We adopt the dual system encryption methodology to prove weak privacy [13, 36]. Roughly speaking, dual system encryption methodology is a proof strategy that utilizes another subgroup for increasing the entropy, so that we can finally achieve unconditionally failed decryption (and weak attribute-hiding). We first present the forms of and used in our proof:(i)Form of :(i)Normal:(ii)Forms of :(i)Normal:(ii)SF 1:where .(iii)SF 2:where .(iv)SF 3:(iii)Form of :(i)Normal:(iv)Forms of :(i)Normal:(ii)SF:where .We then list our games as follows:(i): This is the same as the real construction.(ii): This is the same as , except that we change from Normal to SF.(iii): For , is the same as , except that we change from Normal to SF 1. Note that is exactly .(iv): For , is the same as , except that we change from SF 1 to SF 2.(v): For , is the same as , except that we change from SF 2 to SF 3.(vi): This is the same as , except that we change the challenge to , where and .

Lemma 1. Under DS1 assumption, we have

Proof. Suppose that we havewhere is a non-negligible value.
Then we can build a adversary so that as follows:
is given , then pick . sends to , and stores secretly.
Upon making queries for , simulates as the real algorithm does, and sends the outputs back to .
Upon making queries for , simulates as the real algorithm does, and sends the outputs back to .
Upon making the challenge , chooses , and simulates as follows:
Pick , then generate with the challenge of DS1 assumption as follows: sends back to .
Observe that if where , is the same as ; if where , is the same as . Then we can successfully build an adversary to break DS1 assumption, which is contrary to the fact that breaking DS1 assumption is hard.

Lemma 2. Under DS2 assumption, we have

Proof. Suppose that we havewhere is a non-negligible value.
Then we can build a adversary so that as follows:
is given , then pick . sends to , and stores secretly.
Upon making queries for , simulates as the real algorithm does, and sends the outputs back to .
Upon making queries for , simulates for as follows:
Pick , then generate as follows: simulates for as follows:
Generate with the challenge of DS2 assumption as follows: simulates for as the real algorithm does, and then sends back to .
Upon making queries for , simulates as the real algorithm does, and sends the outputs back to .
Upon making the challenge , chooses , and simulates as follows:
Pick , then generate as follows: sends back to .
Observe that if where , is the same as ; if where , is the same as . Then we can successfully build an adversary to break DS2 assumption, which is contrary to the fact that breaking DS2 assumption is hard.

Lemma 3. We have That is, and are identically distributed.

Proof. Observe that the change occurs only in , which is from to . The identical distribution follows from -privacy property and the attribute-hiding encoding [11, 12].

Lemma 4. Under DS2 assumption, we have

Proof. Suppose that we havewhere is a non-negligible value.
Then we can build a adversary so that as follows:
is given , then pick . sends to , and stores secretly.
Upon making queries for , simulates as the real algorithm does, and sends the outputs back to .
Upon making queries for , simulates for as follows:
Pick , then generate as follows: simulates for as follows:
Generate with the challenge of DS2 assumption as follows: simulates for as the real algorithm does, and then sends back to .
Upon making queries for , simulates as the real algorithm does, and sends the outputs back to .
Upon making the challenge , chooses , and simulates as follows:
Pick , then generate as follows: sends back to .
Observe that if where , is the same as ; if where , is the same as . Then we can successfully build an adversary to break DS2 assumption, which is contrary to the fact that breaking DS2 assumption is hard.

Lemma 5. We have That is, and are identically distributed.

Proof. Since the symmetric key is changed into random values and the predicate encoding of inner product satisfy the attribute-hiding encoding in [11], thus and are identically distributed.

Proof of Authenticity

Theorem 6. For any adversary , we have where is defined in the following lemma.

Proof. The authenticity can be reduced to the security of the ABE scheme corresponding to pair based on DS assumptions, which is embedded in our IP-ME with MSP Auth scheme.
Suppose thatwhere is a non-negligible value.
Then we can build an adversary so that as follows:
Upon making a query of , generates and as the real algorithms do, and sends and back to . Then can find satisfying with probability such that is also valid for generating when decrypting with policy , and then sends to . Note that the fact that and are both valid for implies that for a ciphertext associated with in the underlying ABE, there would be two valid secret keys associated with and respectively. Therefore, can make secret key query of , and challenge and . Then can distinguish the challenge ciphertext easily by using the secret key associated with . Thus, we obtain a contradiction.

7. Conclusion

ME is a cryptographic primitive that supports fine-grained access control for both the sender and the receiver. It can be applied in scenarios that especially require anonymity, such as Tor network. Currently, there have existed a nontheoretically modular framework of ME, but it consist of more than one building blocks, thus its construction is not simple enough and might be under different assumptions or even not in the standard model. There have also existed some IB-ME schemes, which support only the equality policy, but are of comparatively simple constructions.

For cryptographic primitives, we are desirable for schemes under standard assumptions, since standard assumptions are well-studied so that they can guarantee the security better. We are also desirable for schemes in the standard model, since schemes in the standard model are more secure than those not in the standard model. For example, there have been some schemes secure in the random oracle model, but not secure in the standard model.

To explore simpler ME schemes for more expressive functionalities under standard assumptions in the standard model, we present an IP-ME scheme and an IP-ME with MSP scheme both under SXDH assumption in the standard model. The policies for access control of our schemes are beyond equality policy, and reach inner-product policy as well as MSP policy. Therefore, our schemes are more expressive than IB-ME schemes.

Data Availability

No underlying data was collected or produced in this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Authors’ Contributions

Anmin Fu, Haifeng Qian, Qiaohan Chu, and Jie Chen contributed in the methodology. Qiaohan Chu contributed in the writing. Anmin Fu, Jie Chen, and Haifeng Qian contributed in the reviewing. Haifeng Qian and Jie Chen contributed in the funding acquisition.

Acknowledgments

This research was supported by National Natural Science Foundation of China (61972156, 62372180), NSFC-ISF Joint Scientific Research Program (61961146004), National Key Research and Development Program of China (2018YFA0704701), and Innovation Program of Shanghai Municipal Education Commission (2021-01-07-00-08-E00101).

References

G. Ateniese, D. Francati, D. Nuñez, and D. Venturi, “Match me if you can: matchmaking encryption and its applications,” in CRYPTO 2019, A. Boldyreva and D. Micciancio, Eds., vol. 11693 of Lecture Notes in Computer Science, pp. 701–731, Springer, Cham, 2019.
View at: Publisher Site | Google Scholar
D. Balfanz, G. Durfee, N. Shankar, D. K. Smetters, J. Staddon, and H. Wong, “Secret handshakes from pairing-based key agreements,” in 2003 Symposium on Security and Privacy, 2003., pp. 180–196, IEEE, Berkeley, CA, USA, 2003.
View at: Publisher Site | Google Scholar
D. Francati, A. Guidi, L. Russo, and D. Venturi, “Identity-based matchmaking encryption without random oracles,” in INDOCRYPT 2021, A. Adhikari, R. Küsters, and B. Preneel, Eds., vol. 13143 of Lecture Notes in Computer Science, pp. 415–435, Springer, Cham, 2021.
View at: Publisher Site | Google Scholar
J. Chen, Y. Li, J. Wen, and J. Weng, “Identity-based matchmaking encryption from standard assumptions,” in Advances in Cryptology–ASIACRYPT 2022, vol. 13793 of Lecture Notes in Computer Science, pp. 394–422, Springer, Cham, 2022.
View at: Publisher Site | Google Scholar
A. Beimel, Secure schemes for secret sharing and key distribution, Technion-Israel Institute of Technology, Faculty of computer science, 1996, phd thesis israel institute of technology technion.
M. Karchmer and A. Wigderson, “On span programs,” in Proceedings of the Eighth Annual Structure in Complexity Theory Conference, pp. 102–111, IEEE, San Diego, CA, USA, 1993.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Fully secure functional encryption with general relations from the decisional linear assumption,” in CRYPTO 2010, T. Rabin, Ed., vol. 6223, pp. 191–208, Springer, Berlin, Heidelberg, 2010.
View at: Publisher Site | Google Scholar
A. Guillevic, “Comparing the pairing efficiency over composite-order and prime-order elliptic curves,” in ACNS 2013, vol. 7954 of Lecture Notes in Computer Science, pp. 357–372, Springer, Berlin, Heidelberg, 2013.
View at: Publisher Site | Google Scholar
J. Katz, A. Sahai, and B. Waters, “Predicate encryption supporting disjunctions, polynomial equations, and inner products,” in EUROCRYPT 2008, N. P. Smart, Ed., vol. 4965, pp. 146–162, Springer, Berlin, Heidelberg, 2008.
View at: Publisher Site | Google Scholar
H. Wee, “Attribute-hiding predicate encryption in bilinear groups,” in TCC 2017, Y. Kalai and L. Reyzin, Eds., vol. 10677 of Lecture Notes in Computer Science, pp. 206–233, Springer, Cham, 2017.
View at: Publisher Site | Google Scholar
J. Chen, R. Gay, and H. Wee, “Improved dual system ABE in prime-order groups via predicate encodings,” in EUROCRYPT 2015, E. Oswald and M. Fischlin, Eds., vol. 9057 of Lecture Notes in Computer Science, pp. 595–624, Springer, Berlin, Heidelberg, 2015.
View at: Publisher Site | Google Scholar
H. Wee, “Dual system encryption via predicate encodings,” in TCC 2014, Y. Lindell, Ed., vol. 8349 of Lecture Notes in Computer Science, pp. 616–637, Springer, Berlin, Heidelberg, 2014.
View at: Publisher Site | Google Scholar
A. Lewko and B. Waters, “New techniques for dual system encryption and fully secure HIBE with short ciphertexts,” in TCC 2010, D. Micciancio, Ed., vol. 5978, pp. 455–479, Springer, Berlin, Heidelberg, 2010.
View at: Publisher Site | Google Scholar
S. Agrawal and M. Chase, “A study of pair encodings: predicate encryption in prime order groups,” in TCC 2016-A, E. Kushilevitz and T. Malkin, Eds., vol. 9563 of Lecture Notes in Computer Science, pp. 259–288, Springer, Berlin, Heidelberg, 2016.
View at: Publisher Site | Google Scholar
N. Attrapadung, “Dual system encryption framework in prime-order groups via computational pair encodings,” in ASIACRYPT 2016, J. H. Cheon and T. Takagi, Eds., vol. 10032 of Lecture Notes in Computer Science, pp. 591–623, Springer, Berlin, Heidelberg, 2016.
View at: Publisher Site | Google Scholar
J. Chen, J. Gong, L. Kowalczyk, and H. Wee, “Unbounded ABE via bilinear entropy expansion,” in EUROCRYPT 2018, J. B. Nielsen and V. Rijmen, Eds., vol. 10820 of Lecture Notes in Computer Science, pp. 503–534, Springer, Cham, 2018.
View at: Publisher Site | Google Scholar
J. Chen, J. Gong, and H. Wee, “Improved inner-product encryption with adaptive security and full attribute-hiding,” in ASIACRYPT 2018, T. Peyrin and S. D. Galbraith, Eds., vol. 11273, pp. 673–702, Springer, Cham, 2018.
View at: Publisher Site | Google Scholar
R. Gay, D. Hofheinz, E. Kiltz, and H. Wee, “Tightly CCA-secure encryption without pairings,” in EUROCRYPT 2016, M. Fischlin and J. S. Coron, Eds., vol. 9665 of Lecture Notes in Computer Science, pp. 1–27, Springer, Berlin, Heidelberg, 2016.
View at: Publisher Site | Google Scholar
J. Gong, J. Chen, X. Dong, Z. Cao, and S. Tang, “Extended nested dual system groups,” in PKC 2016, C. M. Cheng, K. M. Chung, G. Persiano, and B. Y. Yang, Eds., vol. 9614 of Lecture Notes in Computer Science, pp. 133–163, Springer, Berlin, Heidelberg, 2016.
View at: Publisher Site | Google Scholar
A. Lewko, “Tools for simulating features of composite order bilinear groups in the prime order setting,” in EUROCRYPT 2012, D. Pointcheval and T. Johansson, Eds., vol. 7237, pp. 318–335, Springer, Berlin, Heidelberg, 2012.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Fully secure unbounded inner-product and attribute-based encryption,” in ASIACRYPT 2012, X. Wang and K. Sako, Eds., vol. 7658 of Lecture Notes in Computer Science, pp. 349–366, Springer, Berlin, Heidelberg, 2012.
View at: Publisher Site | Google Scholar
J. Chen and H. Wee, “Fully, (almost) tightly secure IBE and dual system groups,” in CRYPTO 2013, R. Canetti and J. A. Garay, Eds., vol. 8043 of Lecture Notes in Computer Science, pp. 435–460, Springer, Berlin, Heidelberg, 2013.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Homomorphic encryption and signatures from vector decomposition,” in Pairing 2008, S. D. Galbraith and K. G. Paterson, Eds., vol. 5209 of Lecture Notes in Computer Science, pp. 57–74, Springer, Berlin, Heidelberg, 2008.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Hierarchical predicate encryption for inner-products,” in ASIACRYPT 2009, M. Matsui, Ed., vol. 5912 of Lecture Notes in Computer Science, pp. 214–231, Springer, Berlin, Heidelberg, 2009.
View at: Publisher Site | Google Scholar
J. Chen, H. W. Lim, S. Ling, H. Wang, and H. Wee, “Shorter IBE and signatures via asymmetric pairings,” in Pairing-Based Cryptography–Pairing 2012, M. Abdalla and T. Lange, Eds., vol. 7708 of Lecture Notes in Computer Science, pp. 122–140, Springer, Berlin, Heidelberg, 2012.
View at: Publisher Site | Google Scholar
J. Chen, H. W. Lim, S. Ling, H. Wang, and H. Wee, “Shorter identity-based encryption via asymmetric pairings,” Designs, Codes and Cryptography, vol. 73, pp. 911–947, 2014.
View at: Publisher Site | Google Scholar
P. Datta, T. Okamoto, and K. Takashima, “Efficient attribute-based signatures for unbounded arithmetic branching programs,” in PKC 2019, D. Lin and K. Sako, Eds., vol. 11442 of Lecture Notes in Computer Science, pp. 127–158, Springer, Cham, 2019.
View at: Publisher Site | Google Scholar
H. K. Maji, M. Prabhakaran, and M. Rosulek, “Attribute-based signatures: achieving attribute-privacy and collusion-resistance,” 2008, IACR Cryptol. ePrint Arch. p. 328 (2008), http://eprint.iacr.org/2008/328.
View at: Google Scholar
T. Okamoto and K. Takashima, “Efficient attribute-based signatures for non-monotone predicates in the standard model,” in PKC 2011, D. Catalano, N. Fazio, R. Gennaro, and A. Nicolosi, Eds., vol. 6571 of Lecture Notes in Computer Science, pp. 35–52, Springer, Berlin, Heidelberg, 2011.
View at: Publisher Site | Google Scholar
T. Okamoto and K. Takashima, “Decentralized attribute-based signatures,” in PKC 2013, K. Kurosawa and G. Hanaoka, Eds., vol. 7778 of Lecture Notes in Computer Science, pp. 125–142, Springer, Berlin, Heidelberg, 2013.
View at: Publisher Site | Google Scholar
G. Ateniese, D. Francati, D. Nuñez, and D. Venturi, “Match me if you can: matchmaking encryption and its applications,” Journal of Cryptology, vol. 34, no. 3, Article ID 16, 2021.
View at: Publisher Site | Google Scholar
D. Francati, D. Friolo, G. Malavolta, and D. Venturi, “Multi-key and multi-input predicate encryption from learning with errors,” in EUROCRYPT 2023, C. Hazay and M. Stam, Eds., vol. 14006, pp. 573–604, Springer, Cham, 2023.
View at: Publisher Site | Google Scholar
S. Xu, J. Ning, Y. Li et al., “Match in my way: fine-grained bilateral access control for secure cloud-fog computing,” IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 2, pp. 1064–1077, 2022.
View at: Publisher Site | Google Scholar
S. Xu, J. Ning, J. Ma, X. Huang, H. Pang, and R. H. Deng, “Expressive bilateral access control for internet-of-things in cloud-fog computing,” in SACMAT ’21: Proceedings of the 26th ACM Symposium on Access Control Models and Technologies, pp. 143–154, ACM, New York, NY, USA, 2021.
View at: Publisher Site | Google Scholar
D. Boneh, E. Goh, and K. Nissim, “Evaluating 2-DNF formulas on ciphertexts,” in TCC 2005, J. Kilian, Ed., vol. 3378 of Lecture Notes in Computer Science, pp. 325–341, Springer, Berlin, Heidelberg, 2005.
View at: Publisher Site | Google Scholar
B. Waters, “Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions,” in CRYPTO 2009, S. Halevi, Ed., vol. 5677 of Lecture Notes in Computer Science, pp. 619–636, Springer, Berlin, Heidelberg, 2009.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2023 Qiaohan Chu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies